Description
Path Traversal: '.../...//' vulnerability in hashshop WizShop wizshop allows Path Traversal.This issue affects WizShop: from n/a through <= 3.0.2.
Published: 2025-03-03
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is a Path Traversal flaw that can be leveraged to read arbitrary files from the server. By supplying a specially crafted path containing traversal sequences, an attacker may read sensitive data and potentially enable further compromise such as remote code execution if executable files are accessed. The weakness is classified as CWE-35.

Affected Systems

The affected software is the WordPress WizShop plugin from hashshop, impacting all installations using versions up through 3.0.2.

Risk and Exploitability

With a CVSS score of 8.1, this represents a high severity issue, and the low EPSS score (< 1%) indicates that exploitation is considered unlikely to be frequent, though still possible. The vulnerability is not listed in the CISA KEV catalog. An attacker can likely trigger it by manipulating HTTP requests directed at the plugin, feeding a traversal pattern such as "../" to reach arbitrary files. No exploit code is publicly available, but the path traversal vector can be active through standard web requests.

Generated by OpenCVE AI on May 2, 2026 at 03:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WizShop to the latest available version that fixes the path traversal flaw.
  • If an updated version is not available, deactivate or delete the WizShop plugin to remove the attack surface.
  • Configure a web application firewall or server rules to block requests containing traversal sequences such as "../" aimed at the plugin’s URL space.
  • Implement strict input validation on any user-supplied paths within the application or server to prevent traversal attempts.

Generated by OpenCVE AI on May 2, 2026 at 03:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-5641 Path Traversal vulnerability in NotFound WizShop allows PHP Local File Inclusion. This issue affects WizShop: from n/a through 3.0.2.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Path Traversal vulnerability in NotFound WizShop allows PHP Local File Inclusion. This issue affects WizShop: from n/a through 3.0.2. Path Traversal: '.../...//' vulnerability in hashshop WizShop wizshop allows Path Traversal.This issue affects WizShop: from n/a through <= 3.0.2.
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Tue, 04 Mar 2025 03:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 03 Mar 2025 13:45:00 +0000

Type Values Removed Values Added
Description Path Traversal vulnerability in NotFound WizShop allows PHP Local File Inclusion. This issue affects WizShop: from n/a through 3.0.2.
Title WordPress WizShop Plugin <= 3.0.2 - Local File Inclusion vulnerability
Weaknesses CWE-35
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:35.866Z

Reserved: 2025-02-03T13:34:51.001Z

Link: CVE-2025-25122

cve-icon Vulnrichment

Updated: 2025-03-03T17:00:59.393Z

cve-icon NVD

Status : Deferred

Published: 2025-03-03T14:15:52.033

Modified: 2026-04-23T15:25:39.050

Link: CVE-2025-25122

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T04:00:13Z

Weaknesses